Six European Data Protection Authorities Will Launch Legal Actions against Google Stemming from its Privacy Policy

The French, Italian, British, German, Spanish and Dutch Data Protection Authorities announced on April 2, 2013 that each will launch investigations and enforcement actions against Google on the grounds that its privacy policy is not compliant with the European Directive on Data Protection, available at http://eur-lex.europa.eu/en/index.htm, (the “Directive”).

The first year of existence of Google’s new privacy policy has been eventful

Google’s new privacy policy has been under the scrutiny of the European Data Protection Authorities since its launch was announced by Google at the end of January 2012.

The findings of the European Data Protection Authority on Google’s Privacy Policy

Google’s new privacy policy unified more than 60 different privacy policies across Google’s services and apps under one single privacy policy that covers almost every Google product and service. In addition, it allowed Google to combine data collected in every service into a single detailed user profile. To give an example, if a user searches for cooking recipes through the Google search engine, Google can use this information to suggest cooking videos on YouTube!.

The Article 29 Working Party determined that Google’s privacy policy does not comply with the Directive’s obligation to precisely inform the user of the type of data collected, its purposes and its recipients because the policy is too general. As a result, a user is unable to determine which categories of data are processed in the service that is used and for which purpose they are processed. In addition, the Article 29 Working Party stated that the combination of data requires the unambiguous consent of the user and that this large combination of data is disproportionate and creates high risks to the privacy of the user. Finally, Google has not specified the retention periods for the data it processes, in breach of the Directive.

National Enforcement Actions in Six EU Countries

Google decided not to implement the Article 29 Working Party’s recommendations.

Following a meeting with Google on March 19,, 2013 the national Data Protection Authorities of 6 of the 27 EU Member States announced that each will launch investigations and enforcement procedures against Google. Unlike the initial assessment phase that was coordinated by the CNIL on behalf of the other EU authorities, these investigations and enforcement procedures are not being jointly pursued. Indeed, each national Data Protection Authority has its own procedures, powers and sanctions.

Although the authorities have announced that they will cooperate together, Google will nevertheless face six distinct national procedures, and should they result in divergent decisions, there is no system to reconcile them. One goal of EU data protection reform is to establish a new system of supervision when data processing has an EU-wide impact. Under the proposition for a new EU data protection regulation made by the European Commission in January 2012 [http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf] and currently under review before the European Parliament, only the Data Protection Authority of the EU country where the company has its main establishment would be in charge of taking legally binding decisions against a non-compliant company (one-stop shop). In addition, mandatory cooperation between national authorities, as well as a consistency mechanism at the EU level, would be implemented to ensure consistency across investigations and enforcement procedures.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.